Phase 3: Automated Detection
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Phase 3: Automated Detection
After Traps analyzes the memory dump, Traps automatically
performs secondary analysis, the results of which you can use to
verify the legitimacy of a prevention event. The secondary analysis
provides greater insight into the nature of the event by using detection
tools—including ROP chain detection and heap spray detection—to
identify additional malicious activity traces.
If the detection tools successfully identify malicious activity
traces, Traps stores the information to a system log file on the
endpoint using the following syntax: Traps prefix-unique client
ID-event ID. Traps also reports the detection to the ESM Server. The
ESM Console displays the results in the Traps Automatic
Dump Analysis section for each prevention event record
including whether or not each detection tool was successful in identifying
additional malicious activity. If Traps fails to capture the memory,
creates the dump file incorrectly, or otherwise fails to complete the
secondary analysis, the ESM Console hides this section in the event
record.
If the detection tools identify one or more additional malicious
activity traces there is a high likelihood that the prevention event
is a legitimate threat.
To further troubleshoot or analyze security events, view the
forensic data that Traps collects as described in Phase 4: Collection of Forensic Data.